Privacy Policy

1. Introduction

WAgent ("we," "us," or "our") operates the WAgent platform, a multi-tenant SaaS service that enables businesses to manage WhatsApp-based marketing campaigns and AI-powered conversational agents through the official Meta Cloud API. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our website and platform.

2. Information We Collect

2.1 Account Information

When you register for WAgent, we collect:

• Full name and email address
• Organization name and details
• Authentication credentials managed through our identity provider (Keycloak), including Google OAuth tokens if you choose to sign in with Google

2.2 WhatsApp Business Data

When you connect your WhatsApp Business account via Meta Embedded Signup, we collect and process:

• WhatsApp Business Account ID and phone number ID provided by Meta
• Business profile information (display name, quality rating, status)
• Message content sent and received through the Meta Cloud API, including text, media, and template messages
• Message delivery metadata (timestamps, delivery status, read receipts)
• Webhook event data from Meta for incoming messages

2.3 Contact and Campaign Data

• Contact lists you upload (phone numbers, names, and any additional fields in your CSV/XLSX files)
• Campaign configurations, message templates, and scheduling preferences
• Campaign analytics (delivery rates, read rates, reply rates)

2.4 AI Agent Data

• Knowledge base documents you upload (PDFs, DOCX, TXT files, URLs)
• Conversation logs between your AI agents and your end-users
• Agent configuration (system prompts, tone settings, rules)

2.5 Usage and Technical Data

• Browser type, IP address, device information, and operating system
• Pages visited, features used, and time spent on the platform
• Error logs and performance data

3. How We Use Your Information

We access WhatsApp Business data solely through the official Meta Cloud API and in accordance with Meta's Platform Terms and WhatsApp Business Policy. We do not store WhatsApp message content longer than necessary to provide the Service.

We use the information we collect to:

• Provide, operate, and maintain the WAgent platform and its features
• Send and receive WhatsApp messages on your behalf through the Meta Cloud API
• Power AI-driven conversational agents using your uploaded knowledge base
• Process and execute broadcast campaigns to your contact groups
• Process payments and manage your subscription
• Provide customer support and respond to your inquiries
• Improve our platform, develop new features, and fix bugs
• Ensure compliance with Meta's platform policies and applicable laws

4. Legal Basis for Processing

We process your personal data under the following lawful bases:

• Contractual Necessity: Processing required to provide the WAgent platform and fulfill our obligations under the Terms of Service (e.g., sending WhatsApp messages, managing your account, processing payments).
• Legitimate Interest: Processing for platform security, fraud prevention, service improvement, and analytics, where our interests do not override your fundamental rights.
• Consent: Where required by law, we obtain your explicit consent before processing (e.g., optional marketing communications). You may withdraw consent at any time.
• Legal Obligation: Processing necessary to comply with applicable laws, regulations, or legal proceedings.

5. Third-Party Services and Data Sharing

We share your data with the following third-party service providers strictly as necessary to operate the platform:

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6. Data Storage and Security

Your data is stored in a PostgreSQL database with tenant isolation enforced via organization-level access controls. We implement the following security measures:

• Encryption in transit (TLS/HTTPS) for all communications
• Encryption at rest for sensitive data, including WhatsApp access tokens (AES-256)
• Row-level security (RLS) in our database to ensure strict multi-tenant data isolation
• JWT-based authentication with short-lived access tokens
• Role-based access control (Owner, Admin, Member) within organizations

7. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. Specifically:

• Meta (WhatsApp Cloud API):Message data is processed by Meta's global infrastructure in accordance with their data processing terms.
• DeepSeek (AI Processing): Conversation data may be processed on servers located outside the European Economic Area. We ensure appropriate safeguards are in place, including contractual clauses requiring data protection standards equivalent to those in your jurisdiction.
• Stripe (Payments): Payment data is processed by Stripe in accordance with their global data processing agreement.

Where required by applicable law (such as the GDPR), we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms to ensure an adequate level of data protection for international transfers.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Campaign data and message logs are retained for up to 12 months after delivery. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it by law. See our Data Deletion page for details on how to request deletion.

9. Cookies

We use essential cookies to maintain your authenticated session and store your UI preferences (such as sidebar state). We do not use third-party advertising or tracking cookies. By using our platform, you consent to the use of these essential cookies.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (see our Data Deletion page)
• Portability: Request your data in a portable, machine-readable format
• Objection: Object to the processing of your personal data for certain purposes
• Restriction: Request that we limit the processing of your personal data

To exercise any of these rights, please contact us at contact@getwagent.com. We will respond to your request within 30 days.

11. Children's Privacy

WAgent is a business-to-business platform and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of material changes by posting the updated policy on this page and updating the "Last Updated" date. Your continued use of the platform after changes are posted constitutes your acceptance of the revised policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: